Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 1 Aug 2014 16:13:46 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: Steve Kemp <steve@...ve.org.uk>, Claude Bulin <xcfa@...family.org>,
	CVE Assignments MITRE <cve-assign@...re.org>
Subject: CVE request: xcfa: Insecure use of temporary files, subject to race
 conditions

Hi

Steve Kemp discovered several problems in xcfa, a tool to extract
audio CDs and convert files to various formats related to insecure use
of temporary files possibly allowing arbitrary code execution.

I'm full-quoting his findings from the Debian BTS:

https://bugs.debian.org/756600

> xcfa contains several insecure uses of temporary files.
> 
> For example the file src/get_info.c has code to test that
> curl is present, in the function GetInfo_wget which
> essentially runs:
> 
> 	wget --user-agent=\"Mozilla 22.0\" --directory-prefix=/tmp/  http://google.fr/
>         ..
>         if [ -e /tmp/index.html ]; then 
> 		rm /tmp/index.html
> 	fi
> 
> This is probably safe, because wget will not follow symlinks, and will
> instead create "index.html.1" - but any existing file called /tmp/index.html
> will be removed regardless.
> 
> More serious issues exist throughout the codebase.  For example the
> code in dvdread_create_recap_audio, located in src/dvd_read.c contains
> this lovely function:
> 
>         // Suppression du fichier precedant si il existe
>         g_unlink ("/tmp/get_infos_dvd.sh");
>         g_unlink ("/tmp/infos_dvd.txt");
> 
>         fp = fopen ("/tmp/get_infos_dvd.sh", "w");
> 
>         fprintf (fp, "#!/bin/sh\n");
>         fprintf (fp, "\n");
>         fprintf (fp, "set -e\n");
>         fprintf (fp, "\n");
> 
> 	..
> 	..
> 
>         system ("chmod +x /tmp/get_infos_dvd.sh");
> 
>         system ("/tmp/get_infos_dvd.sh");
>         g_unlink ("/tmp/get_infos_dvd.sh");
> 
> 
> Similarly the code which copies files to the trashbin, located in src/file_trash.c,
> has some nice code which runs:
> 
>         system ("env | grep \"KDE_FULL_SESSION\" > /tmp/tst_kde_full_session.txt");
>         if ((fp = fopen ("/tmp/tst_kde_full_session.txt", "r")) != NULL) {
>                 while (fgets (buf, MAX_CARS_KDE, fp) != NULL) {
>                         if (strcmp (buf, "KDE_FULL_SESSION") == 0) {
>                                 if (strcmp (buf, "true") == 0 || strcmp (buf, "TRUE") == 0) {
>                                         BoolRet = TRUE;
>                                         break;
>                                 }
>                         }
>                 }
>                 fclose (fp);
>         }
>         g_unlink ("/tmp/tst_kde_full_session.txt");
> 
> 
> In short this codebase is rife with race-conditions allowing arbitrary shell executation,
> via /tmp/get_infos_dvd.sh, and file truncation/deletion.
> 
> I'd strongly urge the maintainer to audit the codebase for additional issues, with the
> help of upstream.

Would one CVE suffice? Could you allocate a CVE for these issues in xcfa?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ